Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler

Severity:: Medium

Description

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground’s OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim’s session.

Recommendation

Update the agents package to the latest compatible version. Followings are version details:

Affected version(s): < 0.3.10
Patched version(s): 0.3.10

References

GHSA-cvhv-6xm6-c3v4
CVE-2026-1721
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site - Vulnerability
Svelte SSR vulnerable to cross-site scripting via spread attributes - CVE-2026-42599
Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; agents

Anything's wrong? Let us know Last updated on February 13, 2026